How safe is it to dry use the tinymce wysiwyg editor?

J

jasonOk2015-06-26 14:15:43

PHP

jasonOk, 2015-06-26 14:15:43

I want to put tinymce on the site so that everyone can write text and edit it (after that, of course, it will be displayed on the pages of the site). But I wonder - how safe is it?
It's a no brainer that it's not at all safe to do this... Although it seems that if you display the text entered into the editor using htmlspecialchars(), the < script >< / script > tags will display as & lt; script > in other words, "do not miss", and if you select the " <> source code " mode and enter all the tags yourself, then it will cut out the entire script . So I'm wondering whether such protection can be trusted and whether the "threat" is limited to the <script> tag ? Or is it impossible to do without htmlpurifier here?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

6

65536, 2015-06-26
@65536

Mtse by default mercilessly cuts almost everything, but on the client side. that is, by forging his request, you can post anything. so you need to cut it yourself on the server. also, if desired, you can fake a request to download images, and indeed to any of its connectors. In general, the most correct thing is to check every action on the server. and removing buttons in the editor is a purely decorative setting